##// END OF EJS Templates
jro_apps » redmine
RSS
Prevent 500 error on login when there's a typo in OpenID URI scheme, such as http;// or http.//...
Jean-Baptiste Barth -
r3819:83e4cf3dd420
parent child
Show More
Side by Side Unified
Context file:
r3819:83e4cf3dd420 Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,217 +1,224
1 1 # redMine - project management software
2 2 # Copyright (C) 2006-2007 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 require File.dirname(__FILE__) + '/../test_helper'
19 19 require 'account_controller'
20 20
21 21 # Re-raise errors caught by the controller.
22 22 class AccountController; def rescue_action(e) raise e end; end
23 23
24 24 class AccountControllerTest < ActionController::TestCase
25 25 fixtures :users, :roles
26 26
27 27 def setup
28 28 @controller = AccountController.new
29 29 @request = ActionController::TestRequest.new
30 30 @response = ActionController::TestResponse.new
31 31 User.current = nil
32 32 end
33 33
34 34 def test_login_should_redirect_to_back_url_param
35 35 # request.uri is "test.host" in test environment
36 36 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.host%2Fissues%2Fshow%2F1'
37 37 assert_redirected_to '/issues/show/1'
38 38 end
39 39
40 40 def test_login_should_not_redirect_to_another_host
41 41 post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.foo%2Ffake'
42 42 assert_redirected_to '/my/page'
43 43 end
44 44
45 45 def test_login_with_wrong_password
46 46 post :login, :username => 'admin', :password => 'bad'
47 47 assert_response :success
48 48 assert_template 'login'
49 49 assert_tag 'div',
50 50 :attributes => { :class => "flash error" },
51 51 :content => /Invalid user or password/
52 52 end
53 53
54 54 if Object.const_defined?(:OpenID)
55 55
56 56 def test_login_with_openid_for_existing_user
57 57 Setting.self_registration = '3'
58 58 Setting.openid = '1'
59 59 existing_user = User.new(:firstname => 'Cool',
60 60 :lastname => 'User',
61 61 :mail => 'user@somedomain.com',
62 62 :identity_url => 'http://openid.example.com/good_user')
63 63 existing_user.login = 'cool_user'
64 64 assert existing_user.save!
65 65
66 66 post :login, :openid_url => existing_user.identity_url
67 67 assert_redirected_to 'my/page'
68 68 end
69 69
70 def test_login_with_invalid_openid_provider
71 Setting.self_registration = '0'
72 Setting.openid = '1'
73 post :login, :openid_url => 'http;//openid.example.com/good_user'
74 assert_redirected_to home_url
75 end
76
70 77 def test_login_with_openid_for_existing_non_active_user
71 78 Setting.self_registration = '2'
72 79 Setting.openid = '1'
73 80 existing_user = User.new(:firstname => 'Cool',
74 81 :lastname => 'User',
75 82 :mail => 'user@somedomain.com',
76 83 :identity_url => 'http://openid.example.com/good_user',
77 84 :status => User::STATUS_REGISTERED)
78 85 existing_user.login = 'cool_user'
79 86 assert existing_user.save!
80 87
81 88 post :login, :openid_url => existing_user.identity_url
82 89 assert_redirected_to 'login'
83 90 end
84 91
85 92 def test_login_with_openid_with_new_user_created
86 93 Setting.self_registration = '3'
87 94 Setting.openid = '1'
88 95 post :login, :openid_url => 'http://openid.example.com/good_user'
89 96 assert_redirected_to 'my/account'
90 97 user = User.find_by_login('cool_user')
91 98 assert user
92 99 assert_equal 'Cool', user.firstname
93 100 assert_equal 'User', user.lastname
94 101 end
95 102
96 103 def test_login_with_openid_with_new_user_and_self_registration_off
97 104 Setting.self_registration = '0'
98 105 Setting.openid = '1'
99 106 post :login, :openid_url => 'http://openid.example.com/good_user'
100 107 assert_redirected_to home_url
101 108 user = User.find_by_login('cool_user')
102 109 assert ! user
103 110 end
104 111
105 112 def test_login_with_openid_with_new_user_created_with_email_activation_should_have_a_token
106 113 Setting.self_registration = '1'
107 114 Setting.openid = '1'
108 115 post :login, :openid_url => 'http://openid.example.com/good_user'
109 116 assert_redirected_to 'login'
110 117 user = User.find_by_login('cool_user')
111 118 assert user
112 119
113 120 token = Token.find_by_user_id_and_action(user.id, 'register')
114 121 assert token
115 122 end
116 123
117 124 def test_login_with_openid_with_new_user_created_with_manual_activation
118 125 Setting.self_registration = '2'
119 126 Setting.openid = '1'
120 127 post :login, :openid_url => 'http://openid.example.com/good_user'
121 128 assert_redirected_to 'login'
122 129 user = User.find_by_login('cool_user')
123 130 assert user
124 131 assert_equal User::STATUS_REGISTERED, user.status
125 132 end
126 133
127 134 def test_login_with_openid_with_new_user_with_conflict_should_register
128 135 Setting.self_registration = '3'
129 136 Setting.openid = '1'
130 137 existing_user = User.new(:firstname => 'Cool', :lastname => 'User', :mail => 'user@somedomain.com')
131 138 existing_user.login = 'cool_user'
132 139 assert existing_user.save!
133 140
134 141 post :login, :openid_url => 'http://openid.example.com/good_user'
135 142 assert_response :success
136 143 assert_template 'register'
137 144 assert assigns(:user)
138 145 assert_equal 'http://openid.example.com/good_user', assigns(:user)[:identity_url]
139 146 end
140 147
141 148 def test_setting_openid_should_return_true_when_set_to_true
142 149 Setting.openid = '1'
143 150 assert_equal true, Setting.openid?
144 151 end
145 152
146 153 else
147 154 puts "Skipping openid tests."
148 155 end
149 156
150 157 def test_logout
151 158 @request.session[:user_id] = 2
152 159 get :logout
153 160 assert_redirected_to ''
154 161 assert_nil @request.session[:user_id]
155 162 end
156 163
157 164 context "GET #register" do
158 165 context "with self registration on" do
159 166 setup do
160 167 Setting.self_registration = '3'
161 168 get :register
162 169 end
163 170
164 171 should_respond_with :success
165 172 should_render_template :register
166 173 should_assign_to :user
167 174 end
168 175
169 176 context "with self registration off" do
170 177 setup do
171 178 Setting.self_registration = '0'
172 179 get :register
173 180 end
174 181
175 182 should_redirect_to('/') { home_url }
176 183 end
177 184 end
178 185
179 186 # See integration/account_test.rb for the full test
180 187 context "POST #register" do
181 188 context "with self registration on automatic" do
182 189 setup do
183 190 Setting.self_registration = '3'
184 191 post :register, :user => {
185 192 :login => 'register',
186 193 :password => 'test',
187 194 :password_confirmation => 'test',
188 195 :firstname => 'John',
189 196 :lastname => 'Doe',
190 197 :mail => 'register@example.com'
191 198 }
192 199 end
193 200
194 201 should_respond_with :redirect
195 202 should_assign_to :user
196 203 should_redirect_to('my page') { {:controller => 'my', :action => 'account'} }
197 204
198 205 should_create_a_new_user { User.last(:conditions => {:login => 'register'}) }
199 206
200 207 should 'set the user status to active' do
201 208 user = User.last(:conditions => {:login => 'register'})
202 209 assert user
203 210 assert_equal User::STATUS_ACTIVE, user.status
204 211 end
205 212 end
206 213
207 214 context "with self registration off" do
208 215 setup do
209 216 Setting.self_registration = '0'
210 217 post :register
211 218 end
212 219
213 220 should_redirect_to('/') { home_url }
214 221 end
215 222 end
216 223
217 224 end
Show file before | Show file after | Hide comments
@@ -1,241 +1,241
1 1 require 'uri'
2 2 require 'openid/extensions/sreg'
3 3 require 'openid/extensions/ax'
4 4 require 'openid/store/filesystem'
5 5
6 6 require File.dirname(__FILE__) + '/open_id_authentication/db_store'
7 7 require File.dirname(__FILE__) + '/open_id_authentication/mem_cache_store'
8 8 require File.dirname(__FILE__) + '/open_id_authentication/request'
9 9 require File.dirname(__FILE__) + '/open_id_authentication/timeout_fixes' if OpenID::VERSION == "2.0.4"
10 10
11 11 module OpenIdAuthentication
12 12 OPEN_ID_AUTHENTICATION_DIR = RAILS_ROOT + "/tmp/openids"
13 13
14 14 def self.store
15 15 @@store
16 16 end
17 17
18 18 def self.store=(*store_option)
19 19 store, *parameters = *([ store_option ].flatten)
20 20
21 21 @@store = case store
22 22 when :db
23 23 OpenIdAuthentication::DbStore.new
24 24 when :mem_cache
25 25 OpenIdAuthentication::MemCacheStore.new(*parameters)
26 26 when :file
27 27 OpenID::Store::Filesystem.new(OPEN_ID_AUTHENTICATION_DIR)
28 28 else
29 29 raise "Unknown store: #{store}"
30 30 end
31 31 end
32 32
33 33 self.store = :db
34 34
35 35 class InvalidOpenId < StandardError
36 36 end
37 37
38 38 class Result
39 39 ERROR_MESSAGES = {
40 40 :missing => "Sorry, the OpenID server couldn't be found",
41 41 :invalid => "Sorry, but this does not appear to be a valid OpenID",
42 42 :canceled => "OpenID verification was canceled",
43 43 :failed => "OpenID verification failed",
44 44 :setup_needed => "OpenID verification needs setup"
45 45 }
46 46
47 47 def self.[](code)
48 48 new(code)
49 49 end
50 50
51 51 def initialize(code)
52 52 @code = code
53 53 end
54 54
55 55 def status
56 56 @code
57 57 end
58 58
59 59 ERROR_MESSAGES.keys.each { |state| define_method("#{state}?") { @code == state } }
60 60
61 61 def successful?
62 62 @code == :successful
63 63 end
64 64
65 65 def unsuccessful?
66 66 ERROR_MESSAGES.keys.include?(@code)
67 67 end
68 68
69 69 def message
70 70 ERROR_MESSAGES[@code]
71 71 end
72 72 end
73 73
74 74 # normalizes an OpenID according to http://openid.net/specs/openid-authentication-2_0.html#normalization
75 75 def self.normalize_identifier(identifier)
76 76 # clean up whitespace
77 77 identifier = identifier.to_s.strip
78 78
79 79 # if an XRI has a prefix, strip it.
80 80 identifier.gsub!(/xri:\/\//i, '')
81 81
82 82 # dodge XRIs -- TODO: validate, don't just skip.
83 83 unless ['=', '@', '+', '$', '!', '('].include?(identifier.at(0))
84 84 # does it begin with http? if not, add it.
85 85 identifier = "http://#{identifier}" unless identifier =~ /^http/i
86 86
87 87 # strip any fragments
88 88 identifier.gsub!(/\#(.*)$/, '')
89 89
90 90 begin
91 91 uri = URI.parse(identifier)
92 uri.scheme = uri.scheme.downcase # URI should do this
92 uri.scheme = uri.scheme.downcase if uri.scheme # URI should do this
93 93 identifier = uri.normalize.to_s
94 94 rescue URI::InvalidURIError
95 95 raise InvalidOpenId.new("#{identifier} is not an OpenID identifier")
96 96 end
97 97 end
98 98
99 99 return identifier
100 100 end
101 101
102 102 # deprecated for OpenID 2.0, where not all OpenIDs are URLs
103 103 def self.normalize_url(url)
104 104 ActiveSupport::Deprecation.warn "normalize_url has been deprecated, use normalize_identifier instead"
105 105 self.normalize_identifier(url)
106 106 end
107 107
108 108 protected
109 109 def normalize_url(url)
110 110 OpenIdAuthentication.normalize_url(url)
111 111 end
112 112
113 113 def normalize_identifier(url)
114 114 OpenIdAuthentication.normalize_identifier(url)
115 115 end
116 116
117 117 # The parameter name of "openid_identifier" is used rather than the Rails convention "open_id_identifier"
118 118 # because that's what the specification dictates in order to get browser auto-complete working across sites
119 119 def using_open_id?(identity_url = nil) #:doc:
120 120 identity_url ||= params[:openid_identifier] || params[:openid_url]
121 121 !identity_url.blank? || params[:open_id_complete]
122 122 end
123 123
124 124 def authenticate_with_open_id(identity_url = nil, options = {}, &block) #:doc:
125 125 identity_url ||= params[:openid_identifier] || params[:openid_url]
126 126
127 127 if params[:open_id_complete].nil?
128 128 begin_open_id_authentication(identity_url, options, &block)
129 129 else
130 130 complete_open_id_authentication(&block)
131 131 end
132 132 end
133 133
134 134 private
135 135 def begin_open_id_authentication(identity_url, options = {})
136 136 identity_url = normalize_identifier(identity_url)
137 137 return_to = options.delete(:return_to)
138 138 method = options.delete(:method)
139 139
140 140 options[:required] ||= [] # reduces validation later
141 141 options[:optional] ||= []
142 142
143 143 open_id_request = open_id_consumer.begin(identity_url)
144 144 add_simple_registration_fields(open_id_request, options)
145 145 add_ax_fields(open_id_request, options)
146 146 redirect_to(open_id_redirect_url(open_id_request, return_to, method))
147 147 rescue OpenIdAuthentication::InvalidOpenId => e
148 148 yield Result[:invalid], identity_url, nil
149 149 rescue OpenID::OpenIDError, Timeout::Error => e
150 150 logger.error("[OPENID] #{e}")
151 151 yield Result[:missing], identity_url, nil
152 152 end
153 153
154 154 def complete_open_id_authentication
155 155 params_with_path = params.reject { |key, value| request.path_parameters[key] }
156 156 params_with_path.delete(:format)
157 157 open_id_response = timeout_protection_from_identity_server { open_id_consumer.complete(params_with_path, requested_url) }
158 158 identity_url = normalize_identifier(open_id_response.display_identifier) if open_id_response.display_identifier
159 159
160 160 case open_id_response.status
161 161 when OpenID::Consumer::SUCCESS
162 162 profile_data = {}
163 163
164 164 # merge the SReg data and the AX data into a single hash of profile data
165 165 [ OpenID::SReg::Response, OpenID::AX::FetchResponse ].each do |data_response|
166 166 if data_response.from_success_response( open_id_response )
167 167 profile_data.merge! data_response.from_success_response( open_id_response ).data
168 168 end
169 169 end
170 170
171 171 yield Result[:successful], identity_url, profile_data
172 172 when OpenID::Consumer::CANCEL
173 173 yield Result[:canceled], identity_url, nil
174 174 when OpenID::Consumer::FAILURE
175 175 yield Result[:failed], identity_url, nil
176 176 when OpenID::Consumer::SETUP_NEEDED
177 177 yield Result[:setup_needed], open_id_response.setup_url, nil
178 178 end
179 179 end
180 180
181 181 def open_id_consumer
182 182 OpenID::Consumer.new(session, OpenIdAuthentication.store)
183 183 end
184 184
185 185 def add_simple_registration_fields(open_id_request, fields)
186 186 sreg_request = OpenID::SReg::Request.new
187 187
188 188 # filter out AX identifiers (URIs)
189 189 required_fields = fields[:required].collect { |f| f.to_s unless f =~ /^https?:\/\// }.compact
190 190 optional_fields = fields[:optional].collect { |f| f.to_s unless f =~ /^https?:\/\// }.compact
191 191
192 192 sreg_request.request_fields(required_fields, true) unless required_fields.blank?
193 193 sreg_request.request_fields(optional_fields, false) unless optional_fields.blank?
194 194 sreg_request.policy_url = fields[:policy_url] if fields[:policy_url]
195 195 open_id_request.add_extension(sreg_request)
196 196 end
197 197
198 198 def add_ax_fields( open_id_request, fields )
199 199 ax_request = OpenID::AX::FetchRequest.new
200 200
201 201 # look through the :required and :optional fields for URIs (AX identifiers)
202 202 fields[:required].each do |f|
203 203 next unless f =~ /^https?:\/\//
204 204 ax_request.add( OpenID::AX::AttrInfo.new( f, nil, true ) )
205 205 end
206 206
207 207 fields[:optional].each do |f|
208 208 next unless f =~ /^https?:\/\//
209 209 ax_request.add( OpenID::AX::AttrInfo.new( f, nil, false ) )
210 210 end
211 211
212 212 open_id_request.add_extension( ax_request )
213 213 end
214 214
215 215 def open_id_redirect_url(open_id_request, return_to = nil, method = nil)
216 216 open_id_request.return_to_args['_method'] = (method || request.method).to_s
217 217 open_id_request.return_to_args['open_id_complete'] = '1'
218 218 open_id_request.redirect_url(root_url, return_to || requested_url)
219 219 end
220 220
221 221 def requested_url
222 222 relative_url_root = self.class.respond_to?(:relative_url_root) ?
223 223 self.class.relative_url_root.to_s :
224 224 request.relative_url_root
225 225 "#{request.protocol}#{request.host_with_port}#{relative_url_root}#{request.path}"
226 226 end
227 227
228 228 def timeout_protection_from_identity_server
229 229 yield
230 230 rescue Timeout::Error
231 231 Class.new do
232 232 def status
233 233 OpenID::FAILURE
234 234 end
235 235
236 236 def msg
237 237 "Identity server timed out"
238 238 end
239 239 end.new
240 240 end
241 241 end
General Comments 0
You need to be logged in to leave comments. Login now